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DESCRIPTION 

EFFICIENT IMPLEMENTATION OF 
ZERO KNOWLEDGE PROTOCOLS 

5 

The present invention relates to zero knowledge protocols that allow 
the knowledge of some "secref or private key information in a first party 
domain to be verified by a second party without imparting the actual secret 
information or private key to that second party or to any eavesdropping 

10 third party. In particular, the invention has application in the 
implementation of zero knowledge protocols in systems and devices that 
have restricted computational resource such as smart cards, mobile 
electronic devices and the like. 

Throughout the present specification, the first party owning the 

15 secret information or private key ("s^) and wishing to prove that it has 
possession of the information will be referred to as the "prover" ("P"); the 
second party wishing to verify that this is the case without actually receiving 
knowledge of the secret will be referred to as the 'Verifier" ("V"). The prover 
P and verifier V may be any suitable electronic device. The secret 

20 information may be any numeric value, hereinafter referred to as the secret 
number of the prover P. 

Zero knowledge protocols are very valuable tools that can be used 
for authentication of devices such as smart cards used in financial 
25 transactions, or in pay television access, and for identification of devices 
connecting to a network, such as mobile telephones and other electronic 
devices. 

Conventionally, the prover will offer a computationally difficult 
mathematical problem, and the verifier will ask for one of the two or more 
30 possible solutions to the problem. If the prover knows critical information 
relating to the solution, it is able to provide either (or any) of the requested 
available solutions on demand, according to the request of the verifier. If 
the prover does not know the critical information, it is computationally 
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infeasible for it to always be able to provide the requested solution to the 
verifier. 

Usually, zero knowledge protocols rely on some hard mathematical 
problems such as the factorisation of integers or the discrete logarithm 
5 problem. A drawback to these protocols is that they usually require 
extensive use of modular arithmetic which require greater computational 
resource than is desirable for lower power, limited capacity devices such as 
smart cards and portable electronic devices. Thus, a typical 
implementation time for the security protocols is greater than desirable. 

10 

It is an object of the present invention to provide a more efficient 
method of implementing zero knowledge protocols in processor devices, 
and especially in devices that have low computational resource or low 
power. 

15 According to one aspect, the present invention provides a method of 

verifying the knowledge of a secret number s in a prover device by a 
verifier device having no knowledge of the secret number, with a zero- 
knowledge protocol using the Montgomery representation of numbers and 
Montgomery multiplication operations therein. 

20 According to another aspect, the present invention provides a prover 

device having contained therein a secret number s in Montgomery 
representation, the device adapted for proving the knowledge of the secret 
number s to a verifier device without conveying knowledge of the secret 
number itself, with a zero-knowledge protocol using the Montgomery 

25 representation of numbers and Montgomery multiplication operations 
therein. 

According to another aspect, the present invention provides a 
verifier device for verifying the knowledge of a secret number s in a prover 
device without knowledge of the secret number itself, with a zero- 
30 knowledge protocol using the Montgomery representation of numbers and 
Montgomery multiplication operations therein. 

According to another aspect, the present invention provides a 
method of proving the knowledge of a secret number s in a prover device to 
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a verifier device having no knowledge of the secret number, with a zero- 
knowledge protocol using the Montgomery representation of numbers and 
Montgomery multiplication operations therein, comprising the steps of: 

selecting a random number, r, 
5 computing the Montgomery power of rto obtain x; 

transmitting xto a verifier device; 

receiving a challenge value, a, 

computing the Montgomery product of y = rxm s^; and 

transmitting y to the verifier device. 
10 According to another aspect, the present invention provides a 

method of verifying the knowledge of a secret number s in a prover device 
by a verifier device having no knowledge of the secret number, with a zero- 
knowledge protocol using the Montgomery representation of numbers and 
Montgomery multiplication operations therein, comprising the steps of: 
15 receiving the Montgomery square v of the secret number s; 

receiving the Montgomery square, xof a random number, n 

transmitting a challenge value, e to the prover device; 

checking the authenticity of the prover's response, y according to the 
Montgomery square of y verified against values of x and / or v received 
20 from the prover device according to the challenge value e. 

According to another aspect, the present invention provides a 
method of verifying the knowledge of a secret number s in a prover device 
by a verifier device having no knowledge of the secret number, with a zero- 
knowledge protocol using the Montgomery representation of numbers and 
25 Montgomery multiplication operations therein, comprising the steps of: 

receiving the Montgomery e^^ power of the secret number s; 

receiving the Montgomery power, x of a random number, r, 

transmitting a challenge value, c to the prover device; 

checking the authenticity of the prover's response, y according to the 
30 Montgomery e"* power of y verified against the value of x Xm received 
from the prover device according to the challenge value c. 
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Embodiments of the present invention will now be described by way 
of example and with reference to the accompanying drawings in which: 

Figure 1 shows a schematic flow diagram of a protocol according to 
the present Invention; 
5 Figure 2 shows a block diagram of apparatus suitable for 

implementing the protocol of figure 1 ; and 

Figure 3 shows a schematic flow diagram of an alternative protocol 
according to the present invention. 

10 In a preferred example, the Invention offers an improvement over the 

existing basic Fiat-Shamir protocol. 

The purpose of the Fiat-Shamir protocol is for the prover P to 
convince the verifier V that he knows a secret s (a number), but without 
revealing that secret to V, or indeed to anyone else who may eavesdrop on 

15 the protocol. 

To be effective, the protocol is conventionally conducted over a 
reasonably large number of rounds (or "trials"). Each round gives V an 
increasing degree of confidence that P does in fact know the number s. 

The number s remains private within the domain of the prover. In 

20 the first instance, the prover P provides the square of the number s modulo 
n to a trusted third party, v=s^ mod n. For example, v may be a public key 
for prover P, and the private key s is then the smallest case for which s = 
sqrt(v) mod n. The trusted third party is also generally assumed to be the 
creator of the modulus n from its constituent prime factors. 

25 The trusted third party provides v to the verifier V. Since n is a 

product of at least two large primes unknown to V (typically a 1024 or 2048 
bit number), it is extremely difficult to factorise, and this in turn makes it 
computationally infeasible to derive s given thus the trusted third party 
can give V the value of without revealing s. 

30 Each round of the Fiat-Shamir protocol works in three stages. 

Stage 1 

The prover P chooses a random number r mod n, and commits to it 
by calculating mod n and transmitting this to the verifier V. Note that the 
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verifier V cannot compute rfor the same reason as before - taking square 
roots modulo a large composite number of unknown factorisation is 
computationally infeasible. 
Stage 2 

5 The verifier V now chooses one of two questions to ask prover P, 

The prover does not know in advance which of these two questions he is 
going to be asked, but he will only be able to answer both of them correctly 
If he genuinely knows the secret s. The prover can ask either for the value 
of the product r.s mod n, or for the value of r that the prover has just 

10 chosen. 

This is generally performed by V sending a bit e to P indicating his 
choice of question, referred to as the "challenge" or "examination", such 
that the prover has to provide the answer, y = r.s® mod n, where e is in 
{0,1}. 
15 Stage 3 

The prover P provides y = r.s® mod n as requested and the verifier 
checks the result as follows. 

If the challenge was for e = 1 , the verifier expects to have received 
r.s mod n. The verifier cannot deduce any information about s from this, 
20 because r is a random number not known to V). Therefore, the verifier 
checks that the response squared (i.e. mod n, which should be (rsf mod 
n) is the same as * mod n. The verifier received from P in Stage 1 
of this round, and gets ( = v) from the trusted third party. 

If the challenge was for © = 0, the verifier expects to have received r, 
25 and checks that its square matches the value mod n provided in Stage 1 . 

The point of challenge e = 0 becomes clear when consideration is 
given to how an impersonator of P might behave, without having 
knowledge of s. An impersonator who does not know s can fake (by pre- 
calculation) a correct answer to the e = 1 challenge, but this proves to be a 
30 gamble since he does not know in advance what question he will be asked. 
He could do this by: 

* selecting any random r, getting v from the trusted third party, and 
then sending * v^) mod n to V during Stage 1 
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* if he is cliallenged e = 1 by V at Stage 2, then he responds with r as 
his value of y in Stage 3 

* this looks acceptable to V, which will check that ^= i^=(i^ *v^)* v. 
l-lowever, the Impersonator will not, in this instance, be able to 

s answer challenge e = 0 correctly, since he would need to present a square 
root of * v'^) mod n, which in turn would require him to know a square 
root of v'^ mod n. Equivalently, he needs to know a square root of v mod n 
I.e. he needs to know s to answer 0 = 0 correctly. 

On the other hand, the Impersonator could gamble on being 

10 challenged e = 0. This just involves him selecting a random r, presenting 
in Stage 1 and presenting r in Stage 3 in response to challenge e = 0, 
which again looks acceptable to V. But had he chosen this approach, he is 
unable to provide r.s mod n through lack of knowledge of s, if the challenge 
is e = 1 in Stage 2. 

IS The complete protocol requires execution of a sufficient number of 

rounds to satisfy V that it is in fact conversing with P, and not an 
impersonator, given that the impersonator has a 50:50 chance of selecting 
the correct strategy in each round. If the protocol requires 20 rounds, i.e. 
20 sequential con-ect responses to the challenge e = {0, 1}, the odds of an 

20 impersonator that does not know s successfully proving to V Is less than 1 
in 1 ,000,000. For 40 rounds, that probability decreases to less than 1 in 
10^2. 

Each round requires the use of a new value of r. The protocol also 
requires that the response to a challenge be provided within a time limit 
25 determined by it being computationally infeasible that an impersonator can 
compute the answer to the challenge other than the straightfonward 
multiplication r.s® mod n anticipated. 

It is clearly of benefit to ensure that all of the computation operations 
during execution of the protocol are easily performed by low power devices 
30 with restricted computational power, so that multiple successive rounds can 
be carried out quickly. 

According to the present invention. It has been recognised that zero 
knowledge protocols such as the Flat-Shamir protocol discussed above can 
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be implemented entirely using Montgomery representations of the numeric 
quantities used in the protocols. This offers significant improvements in 
computational efficiency for both the prover and verifier. 

The solution proposed is based on the Montgomery representation 
5 of a number z e Zn. The Montgomery representation Zm of the number z is 
given by Zm = zR mod n, where the number R is much larger than n, both R 
and n being known to the prover device and to the verifier device. 

Montgomery multiplication is performed as follows. For two 
numbers am and bm being the Montgomery representation of the numbers a 
10 and b, the modular multiplication is given by: 

5m Xm bm = Bmbrnf^"^ mod tl. 



As in the conventional Fiat-Shamir protocol, n is a publicly known 
15 modulus that is a product of two prime numbers p and q which remain 
secret in the domain of a trusted third party. 

With reference to figure 1, in this scheme, the secret s (step 101) 
can be regarded as the Montgomery representation of another number, s\ 
A trusted third party may store the Montgomery representation of s'^, ie. 
20 where the squaring is performed according to the Montgomery 
multiplication = s Xm s, which we refer to hereinafter as v. This may be 
regarded as the public key for the prover, P. In general, the Montgomery 
product is calculated (step 1 02) and provided to the verifier domain (step 
103) whether this is by way of a trusted third party 20 or otherwise directly 
26 from the prover. In this way, the integrity of the value v may be assured. 

These steps 101 to 103 may be regarded as an initial set up 
procedure which is executed once for many iterations or uses of the three 
stage protocol now to be described. 
Stage 1 

30 In the first stage of the modified protocol, P chooses a random 

number r e Zn (step 105) which can be interpreted as the Montgomery 
representation of another number, P perfonns a Montgomery 
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multiplication of rwith itself (step 106), yielding (hereinafter referred to as 
x), which is the Montgomery representation of r'^, and sends x (= to the 
verifier (step 107). 
Stage 2 

5 In the second stage of the modified protocol, the verifier V sends a 

challenge e e {0, 1} to the prover P (step 108). 
Stage 3 

In the third stage of the modified protocol, P computes the 
Montgomery multiplication of rand ie. rxm s®, hereinafter referred to as 
10 y (step 110), and sends this number to the verifier, V (step 111). On 
receiving y (step 112), V then performs one of the following two checks 
depending upon the challenge value of e (step 1 13). 

In the case of e = 1 , V calculates the value for y Xm y, and the value 
for vxm X (step 115), and checks (step 116) whether the two calculated 
15 values are equal, ie. whether = (^Xm This requires two Montgomery 
multiplications instead of two ordinary modular multiplications. 

In the alternate case of e = 0, the verifier V calculates y^ = y Xm y 
(step 120) which is equivalent to rxm r, because the term evaluates to 
unity). V then checks (step 121) whether y^ (the Montgomery square of the 
20 number y that was sent in steps 111, 112) equals the number x ( = that 
had been sent before in steps 106, 107. This requires only one 
Montgomery multiplication instead of one ordinary modular multiplication. 

If either of the checks of steps 116 or 121 fails, that constitutes a 
failure of the protocol (step 122) and the verifier will conclude that prover P 
25 has failed to establish its knowledge of the secret s. 

if either of the checks of steps 116 or 121 evaluates as true, a 
decision is then made in step 125 as to whether further iterations of the 
protocol are required to satisfy the integrity of P, ie. to assure V that P has 
possession of the secret s (step 126). 
30 If further iterations are required, the protocol is repeated from step 

105 with a new random value, r. 
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As a consequence of the modified protocol, both P and V have only 
to perform Montgomery multiplications (in steps 106, 110, and in steps 1 15, 
120 respectively) which are more efficient than ordinary multiplications mod 
n (as in the conventional Fiat-Shamir scheme). 

5 No numbers need be converted into Montgomery representation or 

the reverse during execution of the protocol, because the starting numbers, 
s, V, rare already in Montgomery representation. This makes the modified 
protocol even more efficient. 

It will be understood that the protocol requires that it must be 

10 computationally infeasible for an impersonator prover, P' to compute either 
a square root of {r^ Xm v'^) or the square root of v, depending upon whether 
an impersonator P elects to gamble on a challenge e of either 1 or 0, and 
certainly computationally infeasible within a timeframe that would normally 
be accepted by V between transmission step 106 and receiving step 112. 

15 The protocol described above may be implemented in any suitable 

hardware or software. A preferred implementation is shown in figure 2. 

A prover device 10 may comprise a smart card or similar low power 
device, such as a pay-TV card, a credit card or a SIM card for a mobile 
telephone. The device 10 may comprise the smart card itself, or the card 

20 together with the device Into which It is inserted. For example, where the 
card is "read" (or interrogated) by a verifying device, the card itself may be 
provided with a limited processing capability in the form of processor 1 1 . 
Where the card is plugged into or used within a suitable device (such as a 
satellite TV receiver or mobile telephone) which can also be considered as 

25 forming part of the domain of P, then the processing capability 1 1 may 
reside in the device which receives the card. 

The verifier device 30 may be a card reader (for direct interrogation 
of, for example a credit card) or may be a remote device that Interrogates a 
device into which the card is installed. For example, the verifier device 30 

30 may be a satellite TV transmitter that Interrogates a set top box Into which 
an authorisation card is inserted. Alternatively, the verifier device 30 could 
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be a mobile telephony base station tliat communicates witli a mobile 
telephone and its SIM card. 

In preferred arrangements, prover device 10 includes memory 
registers for s, r, x and y held in Montgomery representation, and a random 
5 number generator 1 2. 

In preferred arrangements, verifier device 30 includes a processor 
31 and registers for v and y in Montgomery representation; and a random 
number generator for e. 

In preferred arrangements, a trusted third party device 20 includes a 
10 processor 31 and maintains a register for v in Montgomery representation. 
The third party device may also be the provider of v and s as the public / 
private key pair for prover 10, and provide the value of n derived from 
secret prime numbers p and q. 

It will be understood that the expression "random" when used in 
16 connection with the generation of random number rand random value of e 
from the set {0, 1} implies merely that the value of r or e selected by the 
sending party must be sufficiently unpredictable in the receiving party 
domain that no useful pattern of values for prediction of or inference about 
the next value to be issued can be determined by the receiving party. 
20 Each of the devices 10, 20, 30 may be In communication with one 

another using any suitable connection by which data transfer may be 
made. This includes wireless links using any suitable medium such as 
radio, microwave, optical, infrared, sonic and the like. The connections 
may be by way of direct electrical connections, transient or permanent, or 
25 via a switching or packet based network. 

As discussed eariier, it has been determined that the Fiat-Shamir 
protocol can be modified to operate with Montgomery representations of 
numbers and Montgomery arithmetic. The principle is also found to extend 
to other protocols based on an RSA-like structure. A further example is 
30 now given in which the Guiilou-Quisquater protocol is adapted to use 
Montgomery representations of numbers. 

The Guiilou-Quisquater protocol is an extension of the Fiat-Shamir 
protocol making use of higher powers. It allows a reduction in both the 
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number of messages and memory requirements for establishing a prover's 
knowledge of a secret number, s. 

In the Guillou-Quisquater protocol, a trusted third party chooses two 
RSA primes p and q and computes the product n = pq. The trusted third 
5 party defines a public exponent e > 3 with gcd(e, <t»(n)) = 1 and computes its 
private exponent c/= e"^ mod <t>(n). The system parameters (e, n) are made 
public. 

With reference to figure 3, in the modified protocol according to the 
present invention, all the numbers are given in Montgomery representation 
10 and all computations are done using Montgomery arithmetic. The secret of 
the prover P is s e Zn (step 301) and may be considered as the 
Montgomery representation of another number s'. The trusted third party 
TTP then computes and stores the Montgomery representation of s' ^ ie. s 
Xm s Xm s ... Xm s (e times). The verifier V receives and stores from the 
15 trusted third party. 

The protocol proceeds as follows: 

P chooses a number r e Zn at random (step 305). r can be 
considered as the Montgomery representation of another number r'. P then 
computes the Montgomery e^^ power of r : x = (ie. rxm rxm r ... Xm r (e 
20 times)) and sends x to the verifier V (step 306). Note that x is the 
Montgomery representation of ®. 

V receives x (step 307) and chooses a challenge value c e {0, 1 

e - 1} at random, which V sends to P (step 308). 

In response to the challenge c, P computes y= rxmsF mod n (step 
25 310) and sends y to V (step 311). 

On receipt of y (step 312), V calculates the Montgomery power 
(step 313) and the Montgomery power (step 314) and checks to see if 
= X Xm s®^ (step 315). If it does not, the protocol fails (step 322) and V 
must conclude that P does not know s. 
30 If the check proves that j/^ = x Xm s®^ then V checks to see whether 

sufficient iterations of the protocol have been carried out to verify that V 
knows s to a sufficient degree of certainty (step 325). If yes, the process 
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terminates (step 326), and if not, the protocol is repeated with the selection 
of a new random number r by P (step 305). It is a general goal of the 
Guillou-Quisquater protocol that you need perform fewer rounds than in the 
Fiat-Shamir protocol in order to achieve a comparable degree of certainty. 
5 Other embodiments are intentionally within the scope of the 

accompanying claims. 



